Eval all the strings! - Hardened JavaScript

Rate this content
GithubProject website

This talk is about SecureEcmaScript and Compartments which are TC39 proposals, and I'm working on tooling to make these concepts usable with people championing those proposals.
This is a first-hand account of the future of JavaScript security.
SES + tooling (LavaMoat or Endo) is making limiting access to network, fs, core modules or globals possible on a per-package basis.
I want to show how they work, what possibilities they open and how to make that future happen today with some effort.
To me this is the final step in securing npm supply chain - even if a package gets taken over by bad actors, it won't be able to hurt me.

8 min
14 Apr, 2023

Video Summary and Transcription

NPM packages can be potentially dangerous, so it's important to be proactive in managing them. Lava Mode allows you to detect and investigate suspicious packages before deploying your app. Lavamote prevents unauthorized access to sensitive resources by isolating dependencies and using hardened JavaScript. Lava Mode makes it easier to analyze obfuscated files and understand their actions.

Available in Español

1. The Importance of Proactive Package Management

Short description:

NPM packages are unsanitized inputs from the Internet that you run in your application. What if some of them are malicious and dangerous? Waiting for someone to find out is not ideal. With Lava Mode, you can be proactive instead of reactive. It allows you to detect suspicious packages and investigate them before shipping your app to production. Let me show you a demo.

♪♪ ♪♪ OK, I'm Zb. Now, Gector, it's in the corner and in the middle. OK, would you take a string I gave you and run it in your application? Like, that's code. Raise your hands if you would. No, really? OK, would it help if I put it in the tar.gz file? AUDIENCE LAUGHS Because that's what NPM packages are, and they're glorious, don't get me wrong, but they're also unsanitized inputs from the Internet that you run in your application.

Yeah, and we love them. I'm installing NPM packages all the time. Like, that's the main thing I do at work. But what if some of them are not great? And I don't mean lousy packages. I published a bunch of lousy packages, nothing bad happened, but actually malicious, dangerous packages, what then? Well, you can wait for someone to find out that the package is malicious, submit it somewhere and then NPM audit is gonna tell you a few weeks after you shipped your app to production with this package in your dependencies. That works already. You can go with socket dev, which has a much tighter feedback loop, but it just tells you that stuff is suspicious and you have to investigate. So do you have time to read your dependencies? I don't know. Ooh, I don't have a network connection. That's funny. Yeah, there was a logo here. Okay, but with Lava Mode, you can be proactive instead of reactive. And that's a great thing, being proactive instead of reactive. Let me see if I can refresh this now. Okay, I have a demo. I can show you what it does. This is a very brief version of the demo. Sorry, there's much more steps, but I have an app here that's using a package to get very valuable data and then it's sending it to a different server with some authorization that's coming from environment variables. Okay, if I run it, I have this localhost server running and it's gonna pop up the result. Okay, that's what it does. It gets stuff. So, what's the package doing? The package is getting this valuable information from somewhere and sending it over. Okay, now what if the maintainer got bored and handed over the package to someone else who had some bad intentions. Okay, so see, live coding, barely any typing. So, if they grab your precious secret and send elsewhere, what would happen? Well, they would get it.

2. Preventing Unauthorized Access with Lavamote

Short description:

Lavamote generates a policy to prevent unauthorized access to sensitive resources. By using hardened JavaScript and LockDown technology, Lavamote isolates each dependency within the same process, preventing tampering with the JavaScript environment. If you want to know more, I'm offering to help you set up a Lava MultiView project.

Okay, so the other server just got the secret, right? And the stuff still works. Okay, so what if we want to prevent it? That's where Lavamote comes in and Lavamote generates a policy for you which contains information like this package can access fetch and buffer for other versions of that package that I wanted to demo.

Okay, so with Lavamote, if I do, I have Lavamote wire as npm test. I'm gonna run it and it's gonna say this. It's slightly garbled but it says process did not exist. Process was undefined actually for this package only. So you can use process in the main app or other packages but this package doesn't have access to it.

Okay, so let's do some more hacking. Have you heard of prototype pollution? There was a chance to hear about it today. So if I take object prototype and I define a setter as authorization field on that and I pass authorization header to fetch, fetch is going to call my setter that I set on the global prototype. How funny. Okay, so this is still gonna work under regular node. Okay, and then with, yeah, I got the bearer and the secret. Okay, but if I run under Lava mode, I'm gonna get an error that says cannot define property authorization, object is not extensible. Lava mode is also using a technology behind the scenes called LockDown that locks down everything and it's impossible to tamper with the JavaScript environment itself.

Okay, going back here. So what's the magic? It's called hardened JavaScript. It lets you isolate, in our case, we're using it to isolate each dependency within the same process. There's no other context or realms involved in all of this. It has compartment, LockDown, hardened, yeah let's skip over that. It's becoming part of the language eventually. It's an early stage proposal right now, but coming from people who are responsible for stuff like Command JS, promise in the language, et cetera. If you want to know more, these links are available. And I'm offering to help you set up Lava MultiView project if you get in touch early enough. But I promised I'll evo all the strings, right? So I have one more demo that's, oh, I'm not over time yet. Cool. I made this thing, I used this technology to make this thing where I can run any code and get prompted synchronously for everything it reaches for. So I took actual malware from NPM. It's already removed but it was there. Yeah, let's run it.

3. Analyzing an Obfuscated File

Short description:

The file uses eval and multiple levels of obfuscation. After deobfuscating, it reveals the required modules and performs various actions, including analyzing data and sending a post to Discord. The file was not difficult to understand, thanks to Lava mode.

So it's using eval and a bunch of other stuff a bunch of times, and I have to agree to this but I went through this scenario a bunch of times. So it has four levels of obfuscation. I tried to deobfuscate it and it didn't work after deobfuscating, very clever malware.

And now it reveals itself to me. So you want to know what the file looks like? This is the original file I'm running in my tool. And, it says, Require FS. Okay, what else do you require? HTTPS, child process, cool. It tries to exit something and then it requires Axtios and then it reaches for process. Okay, let's give it a fake process. Env, local app data, okay, okay. I know what you're looking for, cool. Let's give it a string that I can recognize and then it does read or a DRSync on that and tries to analyze it. Then it calls task list process. Okay, nice, and then it sends a post to Discord. I didn't have to deobfuscate the file. It revealed itself to me, thank you. Lava mode.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Remix Conf Europe 2022Remix Conf Europe 2022
23 min
Scaling Up with Remix and Micro Frontends
Top Content
Do you have a large product built by many teams? Are you struggling to release often? Did your frontend turn into a massive unmaintainable monolith? If, like me, you’ve answered yes to any of those questions, this talk is for you! I’ll show you exactly how you can build a micro frontend architecture with Remix to solve those challenges.
Remix Conf Europe 2022Remix Conf Europe 2022
37 min
Full Stack Components
Top Content
Remix is a web framework that gives you the simple mental model of a Multi-Page App (MPA) but the power and capabilities of a Single-Page App (SPA). One of the big challenges of SPAs is network management resulting in a great deal of indirection and buggy code. This is especially noticeable in application state which Remix completely eliminates, but it's also an issue in individual components that communicate with a single-purpose backend endpoint (like a combobox search for example).
In this talk, Kent will demonstrate how Remix enables you to build complex UI components that are connected to a backend in the simplest and most powerful way you've ever seen. Leaving you time to chill with your family or whatever else you do for fun.
JSNation Live 2021JSNation Live 2021
29 min
Making JavaScript on WebAssembly Fast
Top Content
JavaScript in the browser runs many times faster than it did two decades ago. And that happened because the browser vendors spent that time working on intensive performance optimizations in their JavaScript engines.Because of this optimization work, JavaScript is now running in many places besides the browser. But there are still some environments where the JS engines can’t apply those optimizations in the right way to make things fast.We’re working to solve this, beginning a whole new wave of JavaScript optimization work. We’re improving JavaScript performance for entirely different environments, where different rules apply. And this is possible because of WebAssembly. In this talk, I'll explain how this all works and what's coming next.
React Summit 2023React Summit 2023
24 min
Debugging JS
As developers, we spend much of our time debugging apps - often code we didn't even write. Sadly, few developers have ever been taught how to approach debugging - it's something most of us learn through painful experience.  The good news is you _can_ learn how to debug effectively, and there's several key techniques and tools you can use for debugging JS and React apps.
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
Do you know what’s really going on in your node_modules folder? Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022 and beyond. We’ll dive into examples of recent supply chain attacks and what concrete steps you can take to protect your team from this emerging threat.
You can check the slides for Feross' talk here.

Workshops on related topic

React Day Berlin 2022React Day Berlin 2022
86 min
Using CodeMirror to Build a JavaScript Editor with Linting and AutoComplete
Top Content
Using a library might seem easy at first glance, but how do you choose the right library? How do you upgrade an existing one? And how do you wade through the documentation to find what you want?
In this workshop, we’ll discuss all these finer points while going through a general example of building a code editor using CodeMirror in React. All while sharing some of the nuances our team learned about using this library and some problems we encountered.
TestJS Summit - January, 2021TestJS Summit - January, 2021
173 min
Testing Web Applications Using Cypress
This workshop will teach you the basics of writing useful end-to-end tests using Cypress Test Runner.
We will cover writing tests, covering every application feature, structuring tests, intercepting network requests, and setting up the backend data.
Anyone who knows JavaScript programming language and has NPM installed would be able to follow along.
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
Node Congress 2023Node Congress 2023
63 min
0 to Auth in an Hour Using NodeJS SDK
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool.
We will enhance a full-stack JS application (Node.JS backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session for subsequent client requests, validating / refreshing sessions
At the end of the workshop, we will also touch on another approach to code authentication using frontend Descope Flows (drag-and-drop workflows), while keeping only session validation in the backend. With this, we will also show how easy it is to enable biometrics and other passwordless authentication methods.
Table of contents- A quick intro to core authentication concepts- Coding- Why passwordless matters
Prerequisites- IDE for your choice- Node 18 or higher
React Summit US 2023React Summit US 2023
96 min
Build a powerful DataGrid in few hours with Ag Grid
Does your React app need to efficiently display lots (and lots) of data in a grid? Do your users want to be able to search, sort, filter, and edit data? AG Grid is the best JavaScript grid in the world and is packed with features, highly performant, and extensible. In this workshop, you’ll learn how to get started with AG Grid, how we can enable sorting and filtering of data in the grid, cell rendering, and more. You will walk away from this free 3-hour workshop equipped with the knowledge for implementing AG Grid into your React application.
We all know that rolling our own grid solution is not easy, and let's be honest, is not something that we should be working on. We are focused on building a product and driving forward innovation. In this workshop, you'll see just how easy it is to get started with AG Grid.
Prerequisites: Basic React and JavaScript
Workshop level: Beginner
Node Congress 2023Node Congress 2023
49 min
JavaScript-based full-text search with Orama everywhere
In this workshop, we will see how to adopt Orama, a powerful full-text search engine written entirely in JavaScript, to make search available wherever JavaScript runs. We will learn when, how, and why deploying it on a serverless function could be a great idea, and when it would be better to keep it directly on the browser. Forget APIs, complex configurations, etc: Orama will make it easy to integrate search on projects of any scale.